Date: Mon, 30 Jul 2007 17:16:11 GMT From: Ali Lomonaco <ali@redanvil.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/115055: openbgpd rfc2385 support Message-ID: <200707301716.l6UHGBM9020401@www.freebsd.org> Resent-Message-ID: <200707301720.l6UHK2dV069300@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 115055
>Category: ports
>Synopsis: openbgpd rfc2385 support
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 30 17:20:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Ali Lomonaco
>Release: 6.2-RELEASE
>Organization:
>Environment:
FreeBSD mgmt-02.noc.redanvil.net 6.2-RELEASE FreeBSD 6.2-RELEASE #2: Tue Jul 24 20:03:55 CDT 2007 anvil@mgmt-02.noc.redanvil.net:/usr/src/sys/amd64/compile/MGMT-02 amd64
>Description:
The openbgpd port applies some patches to get around the missing pfkey support which disallow any rfc2385 support to be configured for a peer.
>How-To-Repeat:
setkey -c
add 1.1.1.1 1.1.1.2 tcp 0x1000 -A tcp-md5 "secret" ;
in bgpd.conf:
group "g1" {
neighbor 1.1.1.2 {
tcp md5sig password "secret"
}
}
Session stays in IDLE state.
>Fix:
The attached patch will allow rfc2385 to be configured for a peer even though pfkey doesn't exist. See setkey(8) for instructions on how to configure rfc2385 support.
diff -Nru openbgpd/files/patch-bgpd_pfkey_compat.c /usr/ports/net/openbgpd/files/patch-bgpd_pfkey_compat.c
--- openbgpd/files/patch-bgpd_pfkey_compat.c Tue Jul 24 23:02:37 2007
+++ /usr/ports/net/openbgpd/files/patch-bgpd_pfkey_compat.c Thu Jul 19 06:58:59 2007
@@ -7,7 +7,7 @@
+int
+pfkey_establish(struct peer *p)
+{
-+ if (p->conf.auth.method > AUTH_MD5SIG)
++ if (p->conf.auth.method)
+ return (-1);
+ return (0);
+}
@@ -15,7 +15,7 @@
+int
+pfkey_remove(struct peer *p)
+{
-+ if (p->conf.auth.method > AUTH_MD5SIG)
++ if (p->conf.auth.method)
+ return (-1);
+ return (0);
+}
diff -Nru openbgpd/files/patch-bgpd_session.c /usr/ports/net/openbgpd/files/patch-bgpd_session.c
--- openbgpd/files/patch-bgpd_session.c Tue Jul 24 23:20:40 2007
+++ /usr/ports/net/openbgpd/files/patch-bgpd_session.c Wed Dec 31 18:00:00 1969
@@ -1,20 +0,0 @@
---- bgpd/session.c.orig Tue Jul 24 23:11:06 2007
-+++ bgpd/session.c Tue Jul 24 23:13:46 2007
-@@ -982,7 +982,7 @@ session_accept(int listenfd)
- }
- }
-
-- if (p->conf.auth.method != AUTH_NONE && sysdep.no_pfkey) {
-+ if (p->conf.auth.method != AUTH_NONE && sysdep.no_pfkey && sysdep.no_md5sig) {
- log_peer_warnx(&p->conf,
- "ipsec or md5sig configured but not available");
- close(connfd);
-@@ -1041,7 +1041,7 @@ session_connect(struct peer *peer)
- return (-1);
- }
-
-- if (peer->conf.auth.method != AUTH_NONE && sysdep.no_pfkey) {
-+ if (peer->conf.auth.method != AUTH_NONE && sysdep.no_pfkey && sysdep.no_md5sig) {
- log_peer_warnx(&peer->conf,
- "ipsec or md5sig configured but not available");
- bgp_fsm(peer, EVNT_CON_OPENFAIL);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707301716.l6UHGBM9020401>